Robert Herjavec compares hackers to professional burglars. “If they want to break in, there’s nothing you can do,” he tells Entrepreneur during a phone interview. “But you can have an alarm, a safe and a dog to stop them from getting away with anything once they’re in.”
(He has all of the above following a recent burglary at one of his homes.)
The Shark Tank star views cybersecurity much the same -- a game of strategically dodging bad guys and vigilantly keeping valuable data out of their greedy clutches. Through Herjavec Group, the Toronto-based Internet security firm he co-founded in 2003, he and his team of "ethical hackers" help enterprise companies throughout the globe do just that.
“Hackers generally don’t want to do hard work,” he says. “They look for the easier targets and our job is to make their job as hard as possible.”
This might surprise you, but Herjavec entered the technology business on a whim and with zero prior experience some 30 years ago. He was waiting restaurant tables and needed a better-paying gig. “When I learned how much it paid, I jumped at the chance,” he recalled in a Herjavec Group blog post. The self-made multimillionaire has come a long way since. Today, his company is one of the largest and most profitable information technology firms in Canada, with offices in New York City, the U.K. and Australia, and coming soon to Los Angeles.
We caught up with the veteran entrepreneur this week to find out which rookie cybersecurity mistakes he’s surprised people, even some of the tech-savviest among us, still make and how to avoid them.
1. Using dangerously dumb passwords.
You’d think we’d be past floating flimsy passwords by now, but apparently we’re not, with even high-profile (and super techie) founders such as Mark Zuckerberg failing to brush up on their password hygiene enough to keep hackers at bay. “Zuckerberg made some common mistakes when his social accounts were hacked that everyone can learn from,” Herjavec says. “He reused the same password for multiple logins and it was a simple word that wasn’t that hard to guess.” (The stolen password was “dadada,” not exactly an unpredictable one for a new father.)
Herjavec admits that he too is “really horrible” at crafting strong passwords. However, he says he generally feels safe anyway, thanks to Herjavec Group’s mandatory two-factor authentication login system. It calls for a standard username and password combo, plus an auto-generated PIN code. Without both, you can come knocking but you can’t get in.
The fix: Use different passwords for different accounts. Additionally, Herjavec recommends that you keep two different sets of unique passwords -- one for your personal accounts and one for your professional accounts -- and change them often.
“This may sound too basic,” he says, but be sure to craft your passwords to be at least eight digits and mix it up with an unpredictable garble of numbers, symbols and letters, including upper and lowercase letters. “The harder it is for hackers to guess, the faster they’ll move on to someone else and leave you alone -- and please, don’t make your password ‘password’ or ‘1234.’ Really, I don’t understand how people still do that.”
2. Doing anything private on public Wi-Fi.
If you’re engaging in any online activity involving private data, such as your personal identifying information or credit card number, resist the temptation to do it on public Wi-Fi. “Sure, free and open access can be great and super convenient in a hurry, but it’s also all of those things to cybercriminals,” Herjavec says. Accordingly, he advises: “Don’t go into Starbucks and use their Wi-Fi to buy plane tickets or to do your banking, because, as I always say, the downside of public Wi-Fi is the word ‘public,’ and ‘public’ means you’re much more vulnerable to attack.”
The fix: Steer clear of public Wi-Fi whenever possible. When staying at a hotel, for a higher level of protection, Herjavec suggests only using the private Wi-Fi in your room, not the public Wi-Fi likely offered in the hotel lobby.
3. Falling for ransomware.
Ransomware attacks are on the rise across the globe. Hackers use ransomware to hold files hostage in the hopes that victims will pay to get them back. Enough people are falling for ransomware traps to make it the most profitable malware in history, per a report Cisco released this week.
“What ransomware basically does is freeze your computer,” Herjavec explains, “and then you have to pay money, often in bitcoin, to unfreeze it.” He says he’s “surprised and amazed” at how many “smart people” he personally knows, and that his company serves, who persist in clicking on files, emails and email attachments that they shouldn’t.
“I tell our customers, ‘You’re really not that sexy, there isn’t a woman in Russia who wants to meet you and you didn’t win a million dollars,’ because a lot of ransomware is initiated through emails that promise things like that to entice people to open them, which opens up your whole computer in an instant.”
The fix: Resist the temptation to click on or download any links, files, emails or attachments you think look fishy. Also, if you don’t already, make sure you routinely back up all of your files to external hard drives and to the cloud, Herjavec suggests, especially your most most-critical data. Finally, be sure you have the latest anti-malware installed on your computer.
Should you accidentally click on and initiate ransomware, Herjavec suggests disconnecting your computer from the network immediately and contacting a cybersecurity expert or online security firm and letting them take it from there.
4. Giving away the keys to your bank account.
Identity thieves are increasingly more technically advanced, yet we’re also increasingly more aware of how to sniff out their sneaky phishing scams. “That’s why I’m surprised people still fall for their attacks,” Herjavec tells us. “They’ll send you an email that looks just like it came from your bank, requesting that you verify your account number or credit card status and with your birth date and PIN number.” The request for your account PIN number alone should register as a red flag, he says. “Any time anyone asks you for something like that, it’s not goodness.”The fix: Simple: “Don’t respond, give nothing away and delete the email,” Herjavec says. “Remember, a bank would never ask you for your PIN in an email.” When in doubt, call your bank and ask if it is trying to contact you to confirm account activity and information. If not, report the sketchy character who did.